Educause Security Discussion mailing list archives
Re: IPtables versus Tcp_wrapper
From: Josh Richard <jrichar4 () D UMN EDU>
Date: Thu, 4 Mar 2010 12:29:43 -0600
On Thu, 2010-03-04 at 12:30 -0500, Valdis Kletnieks wrote:
On Wed, 03 Mar 2010 17:01:11 CST, Josh Richard said:In any case, are we in agreement that given the choice of one or the other, the preferred method would be iptables as it drops packets?Important nit - iptables *optionally* drops packets. ;) Sometimes, it's nice to send back a notice "Yo dood, you're lost". So to make life easy for various authorized scanners and similar on campus, I often do something like this: -A input -p tcp -s 128.173.0.0/16 --syn -j REJECT --reject-with tcp-reset -A input -p tcp -s 198.82.0.0/16 --syn -j REJECT --reject-with tcp-reset -A input -p udp -s 198.82.0.0/16 -j REJECT --reject-with icmp-port-unreachable -A input -p udp -s 128.173.0.0/16 -j REJECT --reject-with icmp-port-unreachable -A input -j DROP Basically, if it's from one of our two on-campus /16s, and it's TCP, we RST back, and for UDP we ICMP back, so the other end gets the "no such port" clue in a few milliseconds rather than having to time out. If you're from off campus, you're probably not one of my users, so I don't feel any responsibility to make your life easy - you can sit there till you time out. ;) (Yes, this *is* a slight information leakage to an on-campus attacker, but the "play nice with campus" mostly outweighs it in my opinion. )
Valdis, That is a reasonable recommendation. I will consider its use. The email list paid for itself today. :) Not to open the worm can, but given all this discussion about filtering, how many of us are currently maintaining IPv6 in production? If so, please consider the V6 analog to iptables -- ip6tables which allows for most table manipulation. Along that line, if you are using V6, how it is going? Thanks, Josh Richard UofMN Duluth
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- IPtables versus Tcp_wrapper Griese, Steven A. (Mar 03)
- <Possible follow-ups>
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)